"""CSRF defense via ``X-Requested-With`` header on mutating requests. CONTRACT.md §3 + BACKEND_BUILD.md §6.4 design notes: - The session cookie is ``SameSite=Lax``, which already blocks classic cross-site form-POST CSRF (the browser strips the cookie). Lax does *not* block top-level navigation POSTs initiated by ``